Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A method, comprising: executing, using an electronic circuit, an iterative calculation on a first number and a second number, wherein the iterative calculation is a modular exponentiation, the second number representing an exponent to be applied to the first number, the executing including protecting the iterative calculation against side-channel attacks by, successively for each bit of the second number: determining, independent of a state of the bit of the second number, an iterative calculation routine of the bit of the second number, wherein the determined iterative calculation routine is selected from a set of iterative calculation routines comprising a square-and-multiple always routine and a Montgomery multiplication routine, and the determining the iterative calculation routine of the bit of the second number is performed randomly; and executing the determined iterative calculation routine; and generating a result of the iterative calculation based on a result of the determined iterative calculation routine of a last bit of the second number.
This invention relates to secure modular exponentiation in electronic circuits, addressing vulnerabilities to side-channel attacks. Modular exponentiation is a critical operation in cryptographic systems, but traditional implementations can leak information through timing or power consumption, allowing attackers to deduce secret keys. The invention mitigates this risk by randomizing the computation path for each bit of the exponent during the iterative calculation. The method involves executing a modular exponentiation on two numbers, where the second number represents the exponent. For each bit of the exponent, the system randomly selects an iterative calculation routine from a predefined set, which includes a square-and-multiple always routine and a Montgomery multiplication routine. The selection is made independently of the bit's state, ensuring unpredictability. This randomization prevents attackers from correlating side-channel observations with specific computation steps, thereby protecting the operation against timing and power analysis attacks. The final result is derived from the routine executed on the last bit of the exponent. By dynamically choosing between different computation paths, the method obscures the relationship between the exponent's bits and the computational steps, enhancing security without sacrificing performance. This approach is particularly useful in cryptographic applications where resistance to side-channel attacks is essential.
2. The method of claim 1 wherein steps of the determined iterative calculation routine vary according to the state of the bit of the second number.
3. The method of claim 1 , comprising: initializing variables stored in a memory prior to executing the iterative calculation; after determining the iterative calculation routine of a bit, determining whether to update a variable stored in the memory prior to execution of the determined iterative calculation routine; and in response to a determination to update the variable stored in the memory, updating the variable stored in the memory prior to execution of the determined iterative calculation routine.
4. The method of claim 3 wherein the determination of the iterative calculation routine of a bit is random.
5. The method of claim 1 , comprising: initializing a first memory location or register to one; initializing a second memory location or register to a value of the first number; and successively, for each bit of the second number: selecting an iterative calculation routine between a first routine and a second routine; and in case of a change of routine, updating content of the second memory register or location before executing the selected iterative calculation routine.
6. A method, comprising: executing, using an electronic circuit, an iterative calculation on a first number and a second number, the executing including protecting the iterative calculation against side-channel attacks by, successively for each bit of the second number: determining, independent of a state of the bit of the second number, an iterative calculation routine of the bit of the second number; and executing the determined iterative calculation routine; and generating a result of the iterative calculation based on a result of the determined iterative calculation routine of a last bit of the second number, wherein the method comprises: initializing a first memory location or register to one; initializing a second memory location or register to a value of the first number; and successively, for each bit of the second number: selecting an iterative calculation routine between a first routine and a second routine; and in case of a change of routine, updating content of the second memory register or location before executing the selected iterative calculation routine, wherein the result of the iterative calculation is contained in said first memory location or register after execution of the determined iterative calculation routine of the last bit of the second number.
7. The method of claim 6 wherein the determined iterative calculation routine is selected from a set of iterative calculation routines.
This invention relates to computational methods for solving mathematical problems, particularly those requiring iterative calculations. The problem addressed is the inefficiency and potential inaccuracy of fixed iterative calculation routines when applied to diverse mathematical problems. A system dynamically selects an iterative calculation routine from a predefined set of routines based on the specific characteristics of the problem being solved. The selection is made by analyzing the problem's structure, such as its dimensionality, nonlinearity, or convergence properties, to determine the most suitable routine. The selected routine is then applied to iteratively solve the problem, improving computational efficiency and accuracy. The predefined set of routines may include different numerical methods, such as gradient descent, Newton-Raphson, or conjugate gradient, each optimized for different problem types. The system may also adjust parameters within the selected routine, such as step size or convergence thresholds, to further optimize performance. This approach ensures that the iterative calculation routine is tailored to the problem's requirements, reducing computational overhead and enhancing solution accuracy. The invention is applicable in fields such as optimization, numerical analysis, and scientific computing, where iterative methods are commonly used.
8. The method of claim 7 wherein the iterative calculation is a modular exponentiation, the second number representing an exponent to be applied to the first number.
9. The method of claim 8 wherein the set of iterative calculation routines comprises: a square-and-multiple always routine; and a Montgomery multiplication routine.
10. The method of claim 9 wherein the determining the iterative calculation routine of the bit of the second number is performed randomly.
11. The method of claim 6 wherein the iterative calculation is a scalar multiplication on an elliptic curve, the second number being a scalar to be multiplied by the first number.
12. A device, comprising: a memory; and processing circuitry, coupled to the memory, wherein the processing circuitry, in operation, executes an iterative calculation on a first number and a second number, wherein the iterative calculation is a modular exponentiation, the second number representing an exponent to be applied to the first number, the executing including protecting the iterative calculation against side-channel attacks by, successively for each bit of the second number: determining, independent of a state of the bit of the second number, an iterative calculation routine of the bit of the second number, wherein the determined iterative calculation routine is selected from a set of iterative calculation routines comprising a square-and-multiple always routine and a Montgomery multiplication routine, and the determining the iterative calculation routine of the bit of the second number is performed randomlv; and executing the determined iterative calculation routine of the bit, wherein a result of the iterative calculation is based on a result of the determined iterative calculation routine of a last bit of the second number.
The invention relates to cryptographic security, specifically protecting modular exponentiation operations from side-channel attacks. Modular exponentiation is a fundamental operation in public-key cryptography, but it is vulnerable to side-channel attacks that exploit physical characteristics like power consumption or timing variations. The invention addresses this by randomizing the computation steps to prevent attackers from inferring sensitive data. The device includes a memory and processing circuitry that performs modular exponentiation on two numbers: a base (first number) and an exponent (second number). For each bit of the exponent, the processing circuitry randomly selects an iterative calculation routine from a predefined set, which includes a square-and-multiple always routine and a Montgomery multiplication routine. The selection is made independently of the bit's state, ensuring that the computation path is unpredictable. This randomization obscures the relationship between the exponent bits and the computation steps, making it difficult for attackers to extract information through side-channel analysis. The final result is derived from the last bit's routine, ensuring correctness while maintaining security. The approach enhances resistance to timing and power analysis attacks without requiring additional hardware.
13. The device of claim 12 wherein steps of the determined iterative calculation routine of the bit vary according to the state of the bit of the second number.
14. The device of claim 12 wherein the processing circuitry, in operation: initializes variables stored in the memory prior to executing the iterative calculation; after determining the iterative calculation routine of a bit, determines whether to update a variable stored in the memory prior to execution of the determined iterative calculation routine; and in response to a determination to update the variable stored in the memory, updates the variable stored in the memory prior to execution of the determined iterative calculation routine.
15. The device of claim 14 wherein the determination of the iterative calculation routine of a bit is random.
16. The device of claim 12 wherein the processing circuitry, in operation: initializes a first memory location or register of the memory to one; initializes a second memory location or register of the memory to a value of the first number; and successively, for each bit of the second number: selects an iterative calculation routine between a first routine and a second routine; and in case of a change of routine, updates content of the second memory register or location before executing the selected iterative calculation routine.
17. A device, comprising: a memory; and processing circuitry, coupled to the memory, wherein the processing circuitry, in operation, executes an iterative calculation on a first number and a second number, the executing including protecting the iterative calculation against side-channel attacks by, successively for each bit of the second number: determining, independent of a state of the bit of the second number, an iterative calculation routine of the bit of the second number; and executing the determined iterative calculation routine of the bit, wherein a result of the iterative calculation is based on a result of the determined iterative calculation routine of a last bit of the second number, wherein the processing circuitry, in operation: initializes a first memory location or register of the memory to one; initializes a second memory location or register of the memory to a value of the first number; and successively, for each bit of the second number: selects an iterative calculation routine between a first routine and a second routine; and in case of a change of routine, updates content of the second memory register or location before executing the selected iterative calculation routine, wherein the result of the iterative calculation is contained in said first memory location or register after execution of the determined iterative calculation routine of the last bit of the second number.
18. The device of claim 17 wherein the determined iterative calculation routine of the bit of the second number is selected from a set of iterative calculation routines.
19. The device of claim 18 wherein the iterative calculation is a modular exponentiation, the second number representing an exponent to be applied to the first number.
20. The device of claim 19 wherein the set of iterative calculation routines comprises: a square-and-multiple always routine; and a Montgomery multiplication routine.
21. The device of claim 20 wherein the determined iterative calculation routine of the bit of the second number is randomly selected from the set.
22. The device of claim 17 wherein the iterative calculation is a scalar multiplication on an elliptic curve, the second number being a scalar to be multiplied by the first number.
23. A system, comprising: one or more processing cores, which, in operation, process digital data; and cryptographic circuitry, coupled to the one or more processing cores, wherein the cryptographic circuitry, in operation, executes an iterative calculation on a first number and a second number, wherein the iterative calculation is a modular exponentiation, the second number representing an exponent to be applied to the first number, the executing including protecting the iterative calculation against side-channel attacks by, successively for each bit of the second number: determining, independent of a state of the bit of the second number, an iterative calculation routine of the bit of the second number, wherein the determined iterative calculation routine is selected from a set of iterative calculation routines comprising a square-and-multiple always routine and a Montgomery multiplication routine, and the determining the iterative calculation routine of the bit of the second number is performed randomly; and executing the determined iterative calculation routine of the bit, wherein a result of the iterative calculation is based on a result of the determined iterative calculation routine of a last bit of the second number.
24. The system of claim 23 wherein the iterative calculation is a scalar multiplication on an elliptic curve, the second number being a scalar to be multiplied by the first number.
25. The system of claim 23 wherein the one or more processing cores, in operation, process a transaction based on a result of the iterative calculation.
26. A non-transitory computer-readable medium, having contents which cause one or more processing devices to perform a method, the method comprising: executing using an electronic circuit an iterative calculation on a first number and a second number, wherein the iterative calculation is a modular exponentiation, the second number representing an exponent to be applied to the first number, the executing including protecting the iterative calculation against side-channel attacks by, successively for each bit of the second number: determining, independent of a state of the bit of the second number, an iterative calculation routine of the bit of the second number, wherein the determined iterative calculation routine is selected from a set of iterative calculation routines comprising a square-and-multiple always routine and a Montgomery multiplication routine, and the determining the iterative calculation routine of the bit of the second number is performed randomly; and executing the determined iterative calculation routine; and generating a result of the iterative calculation based on a result of the determined iterative calculation routine of a last bit of the second number.
27. The non-transitory computer-readable medium of claim 26 wherein the method comprises processing a transaction based on a result of the iterative calculation.
This invention relates to financial transaction processing systems that use iterative calculations to determine transaction outcomes. The problem addressed is the need for accurate and efficient transaction processing in systems where multiple factors, such as risk assessment, fraud detection, or compliance checks, require iterative computations before finalizing a transaction. The invention provides a method for processing transactions by performing iterative calculations that evaluate transaction parameters against predefined criteria. These calculations may involve iterative algorithms that refine transaction outcomes based on dynamic data inputs, such as real-time risk scores or fraud detection metrics. Once the iterative process completes, the system processes the transaction according to the final result, which may include approval, rejection, or modification of the transaction terms. The method ensures that transactions are evaluated comprehensively before execution, improving decision-making accuracy and reducing errors. The iterative approach allows for adaptive processing, where intermediate results can influence subsequent calculations, leading to more precise transaction outcomes. This system is particularly useful in financial services, payment processing, and compliance management, where transaction decisions must balance speed with accuracy. The invention enhances transaction security and reliability by incorporating iterative validation steps that dynamically adjust to changing conditions.
28. A system, comprising: one or more processing cores, which, in operation, process digital data; and cryptographic circuitry, coupled to the one or more processing cores, wherein the cryptographic circuitry, in operation, executes an iterative calculation on a first number and a second number, the executing including protecting the iterative calculation against side-channel attacks by, successively for each bit of the second number: determining, independent of a state of the bit of the second number, an iterative calculation routine of the bit of the second number; and executing the determined iterative calculation routine of the bit, wherein a result of the iterative calculation is based on a result of the determined iterative calculation routine of a last bit of the second number wherein the cyyptographic circuitry, in operation: initializes a first memory location or register of the memory to one; initializes a second memory location or register of the memory to a value of the first number; and successively, for each bit of the second number: selects an iterative calculation routine between a first routine and a second routine; and in case of a change of routine, updates content of the second memory register or location before executing the selected iterative calculation routine, wherein the result of the iterative calculation is contained in said first memory location or register after execution of the determined iterative calculation routine of the last bit of the second number.
29. The system of claim 28 wherein the iterative calculation is a modular exponentiation, the second number representing an exponent to be applied to the first number.
Unknown
April 13, 2021
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.